Second, the last time Microsoft released similar critical security patches was in April 2017. Those security patches closed a critical vulnerability that was susceptible to the EternalBlue exploit: an exploit developed by the United States National Security Agency (NSA) which was leaked by the Shadow Brokers group on April 14, 2017. It took only 28 days for North Korea to weaponize the leaked EternalBlue exploit into the worldwide WannaCry ransomware attack. In less than 24 hours, WannaCry infected more than 230,000 computers in over 150 countries. Total damages are estimated between hundreds of millions to billions of dollars.

Third, numerous organizations still use the affected Windows
operating systems. Although Microsoft will no longer support Windows 7 and its
server siblings after January 20, 2020, over 36%
of the Desktop market is still currently using Windows 7. Worse yet, an estimated
40 million PCs still use Windows XP although Microsoft stopped supporting
that operating system on April 8, 2014, over five years ago. It’s clear that
many organizations and users will continue using Windows 7 and Windows Server
2008 up to the end-of-support date and, based on historical precedent, well
past the support termination date.

Fourth, this vulnerability enables hackers to create a worm attack through remote code execution. Why is this so dangerous? Computer and IT systems often have vulnerabilities but many of them are isolated to that particular system or a piece of software or application running on that system. To exploit these vulnerabilities, hackers must first gain access to the system. A remote code execution exploit is one of the most dangerous types of exploits because hackers or malicious software can remotely access and execute software on other systems often without needing to authenticate, and they can even program this activity so that it occurs immediately. Thus, malicious software that infects a single device has the ability to quickly spread, or “worm”, it’s way throughout the entire environment. During the WannaCry attack, tens of thousands of computers within individual organizations were infected in less than a minute. When Microsoft itself is using the title: “Prevent a worm by updating Remote Desktop Services” for its blog post announcing this vulnerability, it’s evident this is a serious security concern.

As Simon Pope, director of incident response at Microsoft’s Security Response Center explains in Microsoft’s blog post, “This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”

Fifth, due to the nature of a remote code execution exploit, a single vulnerable or “unpatched” system can still compromise the entire IT infrastructure, including devices that are “patched” or secure from the vulnerability. How is this possible? The NotPetya worm attack, which also leveraged the EternalBlue exploit, is a perfect example of how even just a few vulnerable systems can lead to total infrastructure compromise. When a remote code execution exploit is paired with password, token, or credential stealing techniques or exploits (or worse yet a built-in set of valid privileged account credentials, e.g. the Olympic Destroyer malware), the malicious worm can now use legitimate remote execution protocols and privileged credentials to spread.

Here’s a play-by-play explaining in more detail the situation above:

The malicious software, aka the “worm”, gets executed on a device in the organization. The worm may be executed, or run, by a hacker using an existing backdoor into the organization (e.g., NotPetya), by a user intentionally opening malicious attachments from an email spear phishing campaign, by a hacker targeting an exposed vulnerable port or protocol (e.g., WannaCry), by a user opening an infected document on a USB thumb drive they brought from home, etc.

At the same time, the worm identifies neighboring devices and attempts to spread, replicate, and execute itself on those remote devices using a remote code execution exploit that target’s a known vulnerability (like this CVE).

In parallel, the worm uses exploits and techniques to harvest known privileged account credentials on the compromised system or uses a built-in list of valid credentials to spread, replicate, and execute itself on remote devices using legitimate account credentials and remote execution protocols and technologies (e.g., RDP, SSH, WMI, WinRM, RPC, etc.) inherent in almost all IT infrastructures.

At this stage, the malicious worm is rapidly targeting and compromising systems in the environment regardless of whether they are susceptible to the remote code execution vulnerability or not.

So how do we prevent this vulnerability from becoming the next
WannaCry?

Clearly, all users and organizations running one of the affected
Microsoft operating systems should update their systems immediately.
Unfortunately, many organizations often struggle to ensure all their
affected systems are updated. In addition, this vulnerability was acknowledged
and patched by Microsoft before it was ever weaponized, but future
vulnerabilities may not be. Finally, endpoint protection like anti-virus and
anti-malware will initially be limited in its ability to stop the “worm” and
may take hours or days before it is updated with the latest signatures to stop
the malicious software from running.

Organizations looking to enhance their detection of such worm-like
techniques against unknown remote code execution vulnerabilities or other types
of similar attacks which rely on lateral spread/movement and privileged account
compromise, should consider Blackpoint’s SNAP-Defense platform. We designed and
developed SNAP-Defense to be the best-in-class solution on monitoring and
detecting lateral spread/movement and privileged account compromise.
SNAP-Defense has patented lateral spread/movement detection, real-time asset
and account visibility, and extensive privileged account remote access and
execution. With SNAP-Defense in place, organizations increase their ability to
detect and stop lateral spread/movement-based attacks.

For an example of SNAP-Defense’s capability against these types of attacks and vulnerabilities, check out this video showing SNAP-Defense detecting the NotPetya malware, which used similar techniques to the WannaCry attack.

In closing, if you or your organization is running any of the
affected Microsoft operating systems, please ensure you download and apply
the latest security update patches from Microsoft, especially if you’re
running Windows XP or Windows Server 2003 since you need to manually download
the update from Microsoft’s
Update Center.

Finally, consider implementing lateral movement/spread detection and privileged account monitoring technology, like Blackpoint’s SNAP-Defense platform in your organization. Better yet, consider a managed detection and response service, like Blackpoint’s MDR which leverages SNAP-Defense, to provide 24×7 monitoring of lateral movement/spread and privileged account use and can actually respond directly to any malicious behavior discovered in your IT environment on your behalf without the need for extra staff or resources. To learn more and to inquire about receiving a FREE demo, visit https://blackpointcyber.com/snap-defense/

BlackPoint Cyber

Add comment

You may also like

Nearly 90% of small-midsized businesses (SMBs) would consider hiring a new managed service provider if they offered the right cyber security solution. The average cost of a cyber attack at an SMB is $54,650, and as this...